Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-69796

User enumeration through the groupuserpicker api resource - CVE-2019-8449

    XMLWordPrintable

Details

    Description

      Issue summary

      The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.

      Workaround

      If upgrading Jira to 8.4.0 is not an option for now, then a temporary workaround consists in blocking this API endpoint on the Tomcat side by forcing it to return a 403 error.

      The steps are:

      1. Add to the file <jira-installation-directory>/atlassian-jira/WEB-INF/urlrewrite.xml the rule below, which will return a 403 error whenever someone who is not authenticated via Cookie (IE, normal browser access, or cookie based API calls) calls /rest/api/latest/groupuserpicker: 
            <rule>
     	<condition type="session-attribute" name="seraph_defaultauthenticator_user" operator="notequal">.+</condition>
     	<from>^(?s)/rest/api/.*/groupuserpicker</from>
     	<set type="status">403</set>
        	<to>null</to>
    </rule>
      1. Re-start Jira

      Attachments

        Issue Links

          mentioned in

          Page Loading...

          relates to

          RAID-1712 Loading...

          Activity

            People

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              16 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: